RSA Data Security

views updated


RSA Data Security pioneered and marketed the technology that makes it possible to communicate and transfer information and documents securely on the Internet and establish and authenticate the identity of virtual trading partnersdevelopments essential to the widespread acceptance of electronic commerce. The technology could also be used to prevent snoopers from eavesdropping on cell phone calls and other digital communications. RSA's technology, called public-key encryption, was an advance of light-years over previous schemes to make computers, computer networks, and computer data tamper-proof. In fact, RSA encryption products almost proved too successful. As the digital age dawned, the company found itself squaring off with two of the most powerful and secretive agencies of the U.S. government, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The government claimed RSA's encryption techniques made it possible for spies and criminals to plan and act without fear of detection by intelligence or law enforcement agencies. Undeterred, in the middle 1990s RSA joined forces with another maker of electronic security products, and developed a fully-integrated line of security products for businesses and other organizations.

RSA's security systems are based on a mathematical theory for public-key encryption, which encodes data using formulas called algorithms. Public-key encryption represented a huge step beyond earlier encryption systems, which relied on a single "key" to encode and decode data. Everyone who wanted to send or receive information using this encryption system had to possess the secret key. Having to spread the secret around, however, was the weak link in a "single key" system. The more people who knew the secret, the more likely that it would eventually be found out by outsiders.

RSA's encryption products use two keys. If John Doe wants to receive encrypted files or e-mail, he has a public key and a private key, each one a number one hundred or more digits long, linked by the encryption algorithm. Doe can give the public key to anyone who wants to send him coded information. It can remain public knowledge, because it cannot be used to decode messages encrypted for Doe. For that, the private key is needed, and only Doe posesses it. An important application of public-key encryption in the realm of e-commerce is the transmission of credit card information securely to online merchants.

Alternately, John Doe can use the his private key to encode a document, such as a contract, and send it to someone who knows his public key. Using the public key, the recipient can open the encrypted message. The fact that Doe's key opens it guarantees that is came from Doe. In addition Doe could send two versions of a document, one scrambled and one unscrambled. If they match when opened, it guarantees that the documents have not been tampered with en route. Thus RSA encryption systems not only hide data from prying eyes, they can be used to authenticate the identity of a sender and to verify the integrity of transmitted data.

Public-key encryption was invented as a viable computer technology in 1977 by three scientists at the Massachusetts Institute of Technology. They founded RSA Data Security in 1982 to market their invention. Unfortunately, the math done by their encryption software was far too memory-intensive for most computers in the 1980s. In 1986 RSA was on the verge of bankruptcy, and Jim Bidzos was brought in as CEO. Under Bidzos the company's fortunes turned around. Lotus adopted an RSA encryption system in 1987 for its Lotus Notes software. Two years later, Digital Equipment Corp., then was strongly committed to developing computer networks, joined a strategic alliance with RSA. The firm got an important endorsement in 1989 when its technology was adopted by the technical committee of a then little-known computer network with about a half million users, known as the Internet. The computer community, public and private alike, was clearly anxious to find a reliable, standard security solution for protecting its communications and networks. By 1991, RSA seemed to be the default winner. Nearly all major American computer companies, including Motorola, Apple, Novell, and Microsoft, were incorporating RSA software in their productseven the U.S. Department of Defense licensed the firm's encryption software.

The Defense Department adoption took on an ironic dimension shortly afterward. In July 1990 the National Security Agency (NSA), a large, highly secretive government intelligence agency that specializes in intercepting and decoding the encrypted communications of foreign governments, came out in opposition to a plan to endorse RSA as the standard for the entire government. NSA interest in RSA technology dated from the early 1980s when it used its behind-the-scenes influence to block the system's adoption by the Department of Commerce. In 1990 the NSA opposed RSA's system precisely because it was so effectiveits codes were virtually uncrackable. The NSA feared that once the technology spread overseas, the agency would no longer be able to read coded communications. The FBI also denounced RSA products on the grounds that they would make monitoring the phones and e-mail of criminals and terrorists virtually impossible.

In April 1993 the government countered with a solution of its own: the Clipper chip. The Clipper chip created a third key with which gave the government access to any encrypted information. The implications for privacy played right into the hands of RSA's Bidzos, a promotional master who publicly called for the computer industry to boycott products with Big Brother inside. He argued that forcing a compromised system on the American computer industry would ultimately only succeed in giving the edge in encryption research and sales to foreign countries. Those nations, he argues, would simply reject out of hand any system that gave the U.S. government unlimited access. RSA cannily organized conferences on the encryption question that drew the computer industry together into a united front against government efforts to impose its system. At one conference, held in January 1994, a group of leading hardware, software, and telecommunications firms jointly defied the government and uni-laterally rejected the Clipper chip in favor of RSA's system. By the middle of 1994, RSA has sold more than four million copies of its software.

By 1996, the computer industry was in agreement that the lack of a universally accepted structure of secure payment was the main roadblock to the acceptance of e-commerce. Nonetheless, by that time the widespread licensing of RSA by all major American computer firms had made it the de facto industry standard anyway. Bidzos continued to defy government. He challenged federal technology export restrictions by establishing an RSA subsidiary in Japan to manufacture encryption chips that RSA was prohibited from exporting. He formed another subsidiary in the People's Republic of China to produce 40-bit encryption technology, despite claims by the government that the Chinese would use the technologywhose export was federally-approved in any caseto develop much more powerful systems of their own.

There was widespread speculation that RSA would follow the trend among upstart Internet firms and go public with a stock offering in 1996. Instead Bidzos negotiated the firm's purchase by Securities Dynamics Technologies, Inc., a Massachusetts firm that produced computer security devices such as smart cards. The purchase price reflected how bright RSA's future was seen to beat about $200 million in stock, it exceeded more than fifteen-fold RSA's 1995 sales. The two companies combined their two product lines into an integrated line of computer and electronic security software and devices. In 1999, Security Dynamics changed its name to RSA Security Inc.

In 1998, RSA sponsored a contest which offered a prize of $10,000 to whomever was able to crack a code encrypted in DESData Encryption Standardthe standard finally adopted by the government and one used by numerous financial institutions for transmitting funds electronically. The prize was won by a two-man team, a computer privacy activist and a hacker who decoded the code in 56 hours. The contest showed the weakness of the government standard compared with RSA's. Ironically, the contest data was encrypted in a form of DES much more powerful than the encryption technology permitted for export.


Blankenhorn, Dana. "Building the Tools for Web Commerce." Interactive Age, February 13, 1995.

Clark, Don. "Bay Firm's Scrambler To Guard U.S. Computers." San Francisco Chronicle, February 15, 1990.

. "Bidzos Is Holding the Key To Guard Internet Secrets." Wall Street Journal, April 17, 1996.

. "RSA Picked To Provide Computer Lock." San Francisco Chronicle, February 1, 1989.

Gelfond, Susan. "Confounding Computer Crooks With Clever Cryptography." Business Week, April 17, 1989.

Markoff, John. "Industry Defies U.S. on Data Encryption." New York Times, January 14, 1994.

. "Profit and Ego in Data Secrecy." New York Times, June 28, 1994.

. "U.S. Data Code Is Unscrambled In 56 Hours." New York Times, July 17, 1998.

Mintz, John. "Chipping Away at Privacy?; Encryption Device Widens Debate Over Rights of U.S. to Eavesdrop." Washington Post, May 30, 1993.

O'Reilly, Richard. "Firm Offers Key to Computer Security." Chicago Sun-Times, March 25, 1986.

Stipp, David. "Techno-Hero Or Public Enemy?" Fortune Magazine, November 11, 1996.

SEE ALSO: Advanced Encryption Standard (AES); Cryptography, Public and Private Key; Data Encryption Standard (DES); Encryption